import "pe"

rule malware_windows_moonlightmaze_IRIX_exploit_GEN
{
    meta:
        description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers"
        reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
        reference2 = "https://www.exploit-db.com/exploits/19274/"
        author = "Kaspersky Lab"
        md5_1 = "008ea82f31f585622353bd47fa1d84be" //df3
        md5_2 = "a26bad2b79075f454c83203fa00ed50c" //log
        md5_3 = "f67fc6e90f05ba13f207c7fdaa8c2cab" //xconsole
        md5_4 = "5937db3896cdd8b0beb3df44e509e136" //xlock
        md5_5 = "f4ed5170dcea7e5ba62537d84392b280" //xterm
    strings:
        $a1 = "stack = 0x%x, targ_addr = 0x%x"
        $a2 = "execl failed"
    condition:
        (uint32(0)==0x464c457f) and (all of them)
}
